Reporting
In order to give the community time to respond and upgrade we strongly urge you report
all security issues privately. Please email us at security@hangfire.io
with details and we will respond ASAP. Security issues always take precedence over bug
fixes and feature work.
Security Newsletter
Subscribe to receive security announcements by email as soon as possible. Very low traffic, unsubscribe at any time.
This security patch fixes a regression appeared in the previous version 1.7.25 that makes Dashboard UI available for remote requests in the default configuration, e.g. when no authentication filter specified. Please note that when custom authentication filter is defined as recommended in the documentation, everything works as expected, but upgrade is recommended in any case. Please read the GHSA-7rq6-7gv8-c37h security advisory for details.
Continue Reading →
On Apr 15, 2021 Codecov (code coverage tool) team reported Bash Uploader Security Update post where they describe their recent security breach, a yet another attack on supply chain. Since we have used this software for Hangfire in the past, and since it’s still used by one of our projects, Cronos, we began to understand what’s happened. And in short – we’ve used Codecov tool from PyPI (Python Package Index) that’s different from the Bash Uploader one and is unaffected by the recent breach, according to Codecov team.
Continue Reading →
This version contains security fixes to prevent possible XSS attacks as described in #1441. They don’t relate to user data submitted to Hangfire directly via method arguments, but it’s recommended to upgrade anyway. If you are using Hangfire 1.6, please upgrade to version 1.6.26 instead.
Continue Reading →
This release contains fixes for security issues related to dashboard, so it is highly recommended to upgrade. Cross-Site Request Forgery protection was added by using existing libraries, but methods are different across application frameworks:
Continue Reading →
This release fixes a security issue that caused Redis password leaks to log targets during the Hangfire Server startup. The password was also shown in dashboard. If you are using password-protected Redis, it is highly recommended to update to this release, and change Redis password.
Continue Reading →